Paper 2021/079
A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM
Kalle Ngo, Elena Dubrova, Qian Guo, and Thomas Johansson
Abstract
In this paper, we present the first side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 16 traces by deep learning-based power analysis without explicitly extracting the random mask at each execution. Since the presented method is not dependent on the mask, we can improve success probability by combining score vectors of multiple traces captured for the same ciphertext. This is an important advantage over previous attacks on LWE/LWR-based KEMs, which must rely on a single trace. Another advantage is that the presented method does not require a profiling device with deactivated countermeasure, or known secret key. Thus, if a device under attack is accessible, it can be used for profiling. This typically maximizes the classification accuracy of deep learning models. In addition, we discovered a leakage point in the primitive for masked logical shifting on arithmetic shares which has not been known before. We also present a new approach for secret key recovery, using maps from error-correcting codes. This approach can compensate for some errors in the recovered message.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- Preprint. MINOR revision.
- Keywords
- post-quantum cryptographySaber KEMside-channel attackpower analysis
- Contact author(s)
- dubrova @ kth se
- History
- 2021-01-22: received
- Short URL
- https://ia.cr/2021/079
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2021/079,
author = {Kalle Ngo and Elena Dubrova and Qian Guo and Thomas Johansson},
title = {A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM},
howpublished = {Cryptology ePrint Archive, Paper 2021/079},
year = {2021},
note = {\url{https://eprint.iacr.org/2021/079}},
url = {https://eprint.iacr.org/2021/079}
}
